[ptxdist] [PATCH] openssl: Version bump. 3.2.0 -> 3.2.1

Christian Melki Tue, 06 Feb 2024 11:40:40 -0800

Minor release, security bugfixes. All low severity.
https://www.openssl.org/news/cl32.txt


Plugs CVEs:
CVE-2024-0727: Fixed PKCS12 Decoding crashes
CVE-2023-6237: Fixed excessive time spent checking invalid RSA public keys
CVE-2023-6129: Fixed POLY1305 MAC implementation corrupting vector registers on 
PowerPC CPUs which support PowerISA 2.07.

* Remove one patch. Code was added to the release.

Signed-off-by: Christian Melki <christian.me...@t2data.com>
---
 ...frag_len-checking-if-no-Max-Fragment.patch | 41 -------------------
 .../0001-debian-targets.patch                 |  0
 .../0002-pic.patch                            |  0
 ...to-enable-ktls-if-target-does-not-st.patch |  4 +-
 ...rialize-allocation-free-of-ssl_names.patch |  0
 ...zero-call-used-regs-used-gpr-from-De.patch |  0
 .../{openssl-3.2.0 => openssl-3.2.1}/series   |  3 +-
 rules/openssl.make                            |  4 +-
 8 files changed, 5 insertions(+), 47 deletions(-)
 delete mode 100644 
patches/openssl-3.2.0/0100-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch
 rename patches/{openssl-3.2.0 => openssl-3.2.1}/0001-debian-targets.patch 
(100%)
 rename patches/{openssl-3.2.0 => openssl-3.2.1}/0002-pic.patch (100%)
 rename patches/{openssl-3.2.0 => 
openssl-3.2.1}/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch 
(96%)
 rename patches/{openssl-3.2.0 => 
openssl-3.2.1}/0004-conf-Serialize-allocation-free-of-ssl_names.patch (100%)
 rename patches/{openssl-3.2.0 => 
openssl-3.2.1}/0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch 
(100%)
 rename patches/{openssl-3.2.0 => openssl-3.2.1}/series (73%)

diff --git 
a/patches/openssl-3.2.0/0100-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch
 
b/patches/openssl-3.2.0/0100-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch
deleted file mode 100644
index 814bd07be..000000000
--- 
a/patches/openssl-3.2.0/0100-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From: Matt Caswell <m...@openssl.org>
-Date: Tue, 2 Jan 2024 16:48:43 +0000
-Subject: [PATCH] Don't apply max_frag_len checking if no Max Fragment Length
- extension
-
-Don't check the Max Fragment Length if the it hasn't been negotiated. We
-were checking it anyway, and using the default value
-(SSL3_RT_MAX_PLAIN_LENGTH). This works in most cases but KTLS can cause the
-record length to actually exceed this in some cases.
-
-Fixes #23169
----
- ssl/record/methods/tls_common.c | 14 ++++++++++----
- 1 file changed, 10 insertions(+), 4 deletions(-)
-
-diff --git a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c
-index 423777c18dd4..1a9320ae74de 100644
---- a/ssl/record/methods/tls_common.c
-+++ b/ssl/record/methods/tls_common.c
-@@ -910,11 +910,17 @@ int tls_get_more_records(OSSL_RECORD_LAYER *rl)
-         }
- 
-         /*
--         * Check if the received packet overflows the current
--         * Max Fragment Length setting.
--         * Note: rl->max_frag_len > 0 and KTLS are mutually exclusive.
-+         * Record overflow checking (e.g. checking if
-+         * thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH) is the responsibility of
-+         * the post_process_record() function above. However we check here if
-+         * the received packet overflows the current Max Fragment Length 
setting
-+         * if there is one.
-+         * Note: rl->max_frag_len != SSL3_RT_MAX_PLAIN_LENGTH and KTLS are
-+         * mutually exclusive. Also note that with KTLS thisrr->length can
-+         * be > SSL3_RT_MAX_PLAIN_LENGTH (and rl->max_frag_len must be 
ignored)
-          */
--        if (thisrr->length > rl->max_frag_len) {
-+        if (rl->max_frag_len != SSL3_RT_MAX_PLAIN_LENGTH
-+                && thisrr->length > rl->max_frag_len) {
-             RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, 
SSL_R_DATA_LENGTH_TOO_LONG);
-             goto end;
-         }
diff --git a/patches/openssl-3.2.0/0001-debian-targets.patch 
b/patches/openssl-3.2.1/0001-debian-targets.patch
similarity index 100%
rename from patches/openssl-3.2.0/0001-debian-targets.patch
rename to patches/openssl-3.2.1/0001-debian-targets.patch
diff --git a/patches/openssl-3.2.0/0002-pic.patch 
b/patches/openssl-3.2.1/0002-pic.patch
similarity index 100%
rename from patches/openssl-3.2.0/0002-pic.patch
rename to patches/openssl-3.2.1/0002-pic.patch
diff --git 
a/patches/openssl-3.2.0/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
 
b/patches/openssl-3.2.1/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
similarity index 96%
rename from 
patches/openssl-3.2.0/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
rename to 
patches/openssl-3.2.1/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
index 6275de708..6b518ef22 100644
--- 
a/patches/openssl-3.2.0/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
+++ 
b/patches/openssl-3.2.1/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
@@ -28,7 +28,7 @@ Signed-off-by: Michael Olbrich <m.olbr...@pengutronix.de>
  2 files changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf
-index d1a15a115274..d15d28499a21 100644
+index 2a047caa7d4a..aa2685be93b9 100644
 --- a/Configurations/10-main.conf
 +++ b/Configurations/10-main.conf
 @@ -693,7 +693,7 @@ my %targets = (
@@ -41,7 +41,7 @@ index d1a15a115274..d15d28499a21 100644
      "linux-latomic" => {
          inherit_from     => [ "linux-generic32" ],
 diff --git a/Configure b/Configure
-index cbba1749b5a3..a69068121949 100755
+index cca1ac8d162e..c9bbcbbed3e6 100755
 --- a/Configure
 +++ b/Configure
 @@ -1765,7 +1765,7 @@ unless ($disabled{devcryptoeng}) {
diff --git 
a/patches/openssl-3.2.0/0004-conf-Serialize-allocation-free-of-ssl_names.patch 
b/patches/openssl-3.2.1/0004-conf-Serialize-allocation-free-of-ssl_names.patch
similarity index 100%
rename from 
patches/openssl-3.2.0/0004-conf-Serialize-allocation-free-of-ssl_names.patch
rename to 
patches/openssl-3.2.1/0004-conf-Serialize-allocation-free-of-ssl_names.patch
diff --git 
a/patches/openssl-3.2.0/0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch
 
b/patches/openssl-3.2.1/0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch
similarity index 100%
rename from 
patches/openssl-3.2.0/0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch
rename to 
patches/openssl-3.2.1/0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch
diff --git a/patches/openssl-3.2.0/series b/patches/openssl-3.2.1/series
similarity index 73%
rename from patches/openssl-3.2.0/series
rename to patches/openssl-3.2.1/series
index 309ec1465..cd66cc21a 100644
--- a/patches/openssl-3.2.0/series
+++ b/patches/openssl-3.2.1/series
@@ -7,5 +7,4 @@
 0004-conf-Serialize-allocation-free-of-ssl_names.patch
 0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch
 #tag:upstream --start-number 100
-0100-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch
-# d6f307e5d2ef578b08c895257daa6fbc  - git-ptx-patches magic
+# ab24a399a1a602376760e385c08ab320  - git-ptx-patches magic
diff --git a/rules/openssl.make b/rules/openssl.make
index bc1322725..7080bd50b 100644
--- a/rules/openssl.make
+++ b/rules/openssl.make
@@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_OPENSSL) += openssl
 #
 # Paths and names
 #
-OPENSSL_VERSION        := 3.2.0
-OPENSSL_MD5    := 7903549a14abebc5c323ce4e85f2cbb2
+OPENSSL_VERSION        := 3.2.1
+OPENSSL_MD5    := c239213887804ba00654884918b37441
 OPENSSL                := openssl-$(OPENSSL_VERSION)
 OPENSSL_SUFFIX := tar.gz
 OPENSSL_URL    := \
-- 
2.34.1

[ptxdist] [PATCH] openssl: Version bump. 3.2.0 -> 3.2.1

Reply via email to